gha-reusable-workflows/.github/workflows/publish-image.yaml at b7aec1c2c5a84d75e6554f9dcf6c250a2e9cd5fa · bridgecrewio/gha-reusable-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: publish-image

on:
  workflow_call:
    inputs:
      image_name_dockerhub:
        description: "Image name for Docker Hub"
        required: true
        type: string
      image_name_ghcr:
        description: "Image name for GitHub container registry"
        required: true
        type: string
      image_tag_full:
        description: "Full length image tag"
        required: true
        type: string
      image_tag_short:
        description: "Short length image tag"
        required: true
        type: string

      dockerfile_path:
        description: "Path to Dockerfile"
        default: "Dockerfile"
        required: false
        type: string
      environment:
        description: "GitHub environment"
        default: "release"
        required: false
        type: string
      image_platforms:
        description: "List of target platforms for build"
        default: "linux/amd64,linux/arm64"
        required: false
        type: string
      runner:
        description: "GitHub runner label"
        default: "ubuntu-latest"
        required: false
        type: string
    secrets:
      BC_API_KEY:
        description: "Bridgecrew API key"
        required: true
      DOCKERHUB_USERNAME:
        description: "Docker Hub username"
        required: true
      DOCKERHUB_PASSWORD:
        description: "Docker Hub password"
        required: true

permissions:
  contents: read

jobs:
  publish-image:
    runs-on: ${{ fromJSON(inputs.runner) }}
    environment: ${{ inputs.environment }}
    permissions:
      id-token: write  # Enable OIDC
      packages: write
    env:
      DH_IMAGE_NAME: ${{ inputs.image_name_dockerhub }}
      GHCR_IMAGE_NAME: ${{ inputs.image_name_ghcr }}
      FULL_IMAGE_TAG: ${{ inputs.image_tag_full }}
      SHORT_IMAGE_TAG: ${{ inputs.image_tag_short }}
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
      - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8  # v3.2.0
      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3  # v3.0.0
        with:
          platforms: 'arm64,arm'
      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226  # v3.0.0
      - name: Login to Docker Hub
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d  # v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker meta
        id: docker_meta
        uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c  # v5.5.0
        with:
          images: ${{ env.DH_IMAGE_NAME }}
          labels: |
            org.opencontainers.image.authors=Bridgecrew
            org.opencontainers.image.version=${{ env.FULL_IMAGE_TAG }}
      - name: Build and export image to Docker
        # buildx changes the driver to 'docker-container' which doesn't expose the image to the host,
        # so it is built and loaded to Docker and in the next step pushed to the registry
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56  # v5.1.0
        with:
          context: .
          file: ${{ inputs.dockerfile_path }}
          no-cache: true
          load: true
          labels: ${{ steps.docker_meta.outputs.labels }}
          tags: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
      - name: Push Docker image
        id: docker_push
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56  # v5.1.0
        with:
          context: .
          file: ${{ inputs.dockerfile_path }}
          platforms: ${{ inputs.image_platforms }}
          push: true
          labels: ${{ steps.docker_meta.outputs.labels }}
          tags: |
            ${{ env.DH_IMAGE_NAME }}:latest
            ${{ env.DH_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
            ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
            ${{ env.GHCR_IMAGE_NAME }}:latest
            ${{ env.GHCR_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
            ${{ env.GHCR_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
      - name: Generate SBOM
        continue-on-error: true
        uses: bridgecrewio/checkov-action@master  # use latest and greatest
        with:
          api-key: ${{ secrets.BC_API_KEY }}
          docker_image: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
          dockerfile_path: ${{ inputs.dockerfile_path }}
          output_format: cyclonedx_json
          output_file_path: cyclonedx.json,
      - name: Sign and attest image
        run: |
          # sign image
          cosign sign -y ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}

          # attest SBOM
          cosign attest -y \
            --type cyclonedx \
            --predicate cyclonedx.json \
            ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
          cosign attest -y \
            --type cyclonedx \
            --predicate cyclonedx.json \
            ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}